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Abstract 

Aircraft  collision  avoidance  maneuvers  are  important  and  complex  applications.  Curved  flight 
exhibits  nontrivial  continuous  behavior.  In  combination  with  the  control  choices  during  air  traffic 
maneuvers,  this  yields  hybrid  systems  with  challenging  interactions  of  discrete  and  continuous 
dynamics.  As  a  case  study  illustrating  the  use  of  a  new  proof  assistant  for  a  logic  for  nonlinear 
hybrid  systems,  we  analyze  collision  freedom  of  roundabout  maneuvers  in  air  traffic  control,  where 
appropriate  curved  flight,  good  timing,  and  compatible  maneuvering  are  crucial  for  guaranteeing 
safe  spatial  separation  of  aircraft  throughout  their  flight.  We  show  that  formal  verification  of  hybrid 
systems  can  scale  to  curved  flight  maneuvers  required  in  aircraft  control  applications.  We  introduce 
a  fully  flyable  variant  of  the  roundabout  collision  avoidance  maneuver  and  verify  safety  properties 
by  compositional  verification. 
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(a)  Linear 


(b)  Circular 


(c)  Counterexample 


(d)  Tangential 


Figure  1 :  Evolution  of  collision  avoidance  maneuvers  in  air  traffic  control 


1  Introduction 

In  air  traffic  control,  collision  avoidance  maneuvers  [23,  13,  5,  6,  10]  are  used  to  resolve  conflicting 
flight  paths  that  arise  during  free  flight.  See  Fig.  1  for  a  series  of  increasingly  more  realistic — yet 
also  more  complicated — aircraft  collision  avoidance  maneuvers.  Fig.  lc  shows  a  malfunctioning 
collision  avoidance  attempt.  Collision  avoidance  maneuvers  are  a  “last  resort”  for  resolving  air 
traffic  conflicts  that  could  lead  to  collisions.  They  are  important  whenever  conflicts  have  not  been 
detected  by  the  pilots  during  free  flight  or  by  the  flight  directors  of  the  Air  Route  Traffic  Control 
Centers.  Consequently,  complicated  online  trajectory  prediction  or  maneuver  planning  may  no 
longer  be  feasible  in  the  short  time  that  remains  for  resolving  the  conflict.  In  the  tragic  2002  mid¬ 
flight  collision  in  Uberlingen  [3],  the  aircraft  collided  tens  of  seconds  after  the  on-board  traffic 
alert  and  collision  avoidance  system  TCAS  [13]  signalled  a  traffic  alert.  Thus,  for  safe  aircraft 
control  we  need  particularly  reliable  reactions  with  maneuvers  whose  correctness  has  been  estab¬ 
lished  previously  by  a  thorough  offline  analysis.  To  ensure  correct  functioning  of  aircraft  collision 
avoidance  maneuvers  under  all  circumstances,  the  temporal  evolution  of  the  aircraft  in  space  must 
be  analyzed  carefully  together  with  the  effects  that  maneuvering  control  decisions  have  on  their 
dynamics.  This  results  in  complicated  superpositions  of  physical  system  dynamics  with  control, 
which  is  an  example  of  a  hybrid  system  [7] . 

Several  numerical  [23,  11,  2,  9,  10]  or  optimization-based  [11,  2,  8,  10]  approaches  have  been 
proposed  for  air  traffic  control.  It  is  difficult  to  give  sound  formal  verification  results  for  these 
approaches  due  to  errors  in  numerical  computations  or  implicit  definition  of  maneuvers  in  terms 
of  complicated  optimization  processes.  Formal  verification  is  important  to  avoid  collisions,  see 
Fig.  lc.  Formal  results  have  been  given  by  geometrical  reasoning  [5,  6,  24,  25]  in  PVS.  Yet, 
one  still  has  to  prove  by  other  techniques  that  the  hybrid  dynamics  of  a  flight  controller  actually 
follows  the  geometrical  shapes.  In  contrast,  we  verify  the  hybrid  system  dynamics  directly  using 
a  formally  sound  approach  (assuming  sound  elementary  decision  procedures),  consider  curved 
flight,  and  achieve  better  automation. 

Control  Challenges  Because  of  the  complicated  spatio-temporal  movement  of  aircraft,  their 
maneuvers  are  challenging  for  verification.  Unlike  in  ground  transportation,  braking  and  waiting 
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is  not  an  option  to  resolve  conflicts.  Consequently,  aircraft  maneuvers  have  to  be  coordinated 
such  that  the  aircraft  always  respect  minimal  and  maximal  lateral  and  angular  speed  constraints 
yet  always  remain  safely  separated.  Further,  angular  velocity  for  curving  is  the  primary  means  of 
control,  because  changes  in  thrust  and  linear  speed  are  less  efficient  for  aircraft. 

Technical  Challenges  Complexities  in  analysis  of  aircraft  maneuvers  manifest  most  promin¬ 
ently  in  difficulties  with  analysing  hybrid  systems  for  flight  equations.  General  solutions  of  flight 
equations  involve  trigonometric  functions  that  depend  on  the  angular  velocity  u  and  the  orient¬ 
ation  of  the  aircraft  in  space.  For  straight  line  flight  (to  =  0),  the  movement  in  space  is  just 
linear  so  that  classical  analysis  techniques  can  be  used  [7].  These  include  pure  straight  line  man¬ 
euvers  [23,  14,  5,  6, 10];  see,  e.g.,  Fig.  la.  They  have  to  assume  instant  turns  for  heading  changes  of 
the  aircraft  between  multiple  straight  line  segments.  Instant  turns,  however,  are  impossible  in  mid¬ 
flight,  because  they  are  notflyable :  Aircraft  cannot  suddenly  change  their  flight  direction  from  0  to 
45  degrees  discontinuously  but  need  to  follow  a  smooth  curve  instead,  in  which  they  slowly  steer 
towards  the  desired  direction  by  adjusting  the  angular  velocity  c o  appropriately.  Further  the  area 
required  by  maneuvers  for  which  instant  turns  could  possibly  be  understood  as  adequately  close 
approximations  of  properly  curved  flight  is  prohibitively  huge.  Curved  flight  is  thus  an  inherent 
part  of  real  aircraft  control. 

During  curved  flight,  the  angular  velocity  c o  is  non-zero.  For  uj  0,  flight  equations  have 
transcendental  solutions,  which  generally  fall  into  undecidable  classes  of  arithmetics;  see  Ap¬ 
pendix  A.l.  Consequently,  maneuvers  with  curves,  like  in  Fig.  lb-ld,  are  more  realistic  but  also 
substantially  more  complicated  for  verification  than  straight  line  maneuvers  like  that  in  Fig.  la. 
We  have  recently  developed  a  sound  verification  algorithm  that  works  with  differential  invari¬ 
ants  [17,  20,  22]  instead  of  solutions  of  differential  equations  to  address  this  arithmetic.  In  the 
associated  report  [21],  we  have  shown  that  3  kinds  of  properties  can  be  verified  with  this  approach 
for  some  phases  of  curved  flight.  Now  we  prove  a  significant  extension  and  show  that,  indeed, 
a  full  curved  flight  maneuver  is  amenable  to  formal  verification  and  we  verify  12  corresponding 
properties. 

In  this  paper,  we  introduce  and  verify  the  fully  fly  able  tangential  roundabout  maneuver  (FTRM). 
It  refines  the  non-flyable  tangential  roundabout  maneuver  (NTRM)  from  Fig.  Id,  which  has  dis¬ 
continuities  at  the  entry  and  exit  points  of  roundabouts,  to  a  fully  flyable  curved  maneuver.  Unlike 
most  previously  proposed  maneuvers  [23,  2,  14,  5,  4,  6,  10],  FTRM  does  not  have  non-flyable  in¬ 
stant  turns.  It  is  flyable  and  smoothly  curved.  Unlike  other  approaches  emphasizing  the  importance 
of  fly  ability  [11],  we  give  formal  verification  results. 

Contribution  Our  main  contribution  is  to  show  that  reality  in  model  design  and  coverage  in 
formal  verification  are  no  longer  incompatible  desires  even  for  applications  as  complex  as  air¬ 
craft  maneuvers.  As  a  case  study  illustrating  the  use  of  differential  dynamic  logic  for  hybrid  sys¬ 
tems  [18],  we  demonstrate  how  tricky  and  nonlinear  dynamics  can  be  verified  with  our  verification 
algorithm  [20,  22]  in  our  verification  tool  KeYmaera.  We  introduce  a  fully  curved  flight  maneuver 
and  verify  its  hybrid  dynamics  formally.  In  contrast  to  previous  approaches,  we  handle  curved 
flight,  hybrid  dynamics,  and  produce  formal  proofs  with  almost  complete  automation.  Manual 
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effort  is  still  needed  to  simplify  arithmetical  complexity  and  modularize  the  proof  appropriately. 
We  further  illustrate  the  resulting  verification  conditions  for  the  respective  parts  of  the  maneuver. 
Finally,  we  identify  the  most  difficult  steps  during  the  verification  and  present  new  transformations 
to  handle  the  enormous  computational  complexity.  To  reduce  complexity,  we  still  use  some  of 
the  simplifications  assumed  in  related  work,  e.g.,  synchronous  maneuvering  (i.e.  aircraft  make 
simultaneous  maneuver  choices). 


2  Related  Work 

Lafferriere  et  al.  [12]  gave  important  decidability  results  for  hybrid  systems  with  some  classes 
of  linear  continuous  dynamics  but  only  random  discrete  resets.  These  results  do  not  apply  to  air 
traffic  maneuvers,  because  these  maneuvers  have  non-trivial  resets:  the  aircraft’s  position  does  not 
just  jump  randomly  when  switching  modes  but,  rather,  systematically  according  to  the  maneuver. 

Tomlin  et  al.  [23]  analyze  competitive  aircraft  maneuvers  game-theoretically  using  numerical 
approximations  of  partial  differential  equations.  As  a  solution,  they  propose  roundabout  maneuvers 
and  give  bounded-time  verification  results  for  straight-line  approximations  (Fig.  la).  We  verify 
actual  curved  roundabout  maneuvers  with  up  to  28  variables  and  use  a  sound  symbolic  approach 
that  avoids  numerical  approximation  errors. 

Flyability  has  been  identified  as  one  of  the  major  challenges  in  Kosecka  et  al.  [11],  where 
planning  based  on  superposition  of  potential  fields  has  been  used  to  resolve  air  traffic  conflicts. 
This  planning  does  not  guarantee  flyability  but,  rather,  defaults  to  classical  vertical  altitude  changes 
whenever  a  nonflyable  path  is  detected.  The  resulting  maneuver  has  not  yet  been  verified.  The 
planning  approach  has  been  pursued  by  Bicchi  and  Pallottino  [2]  with  numerical  simulations. 

Numerical  simulation  algorithms  approximating  discrete-time  Markov  Chain  approximations 
of  aircraft  behavior  have  been  proposed  by  Hu  et  al.  [9].  They  approximate  bounded-time  probab¬ 
ilistic  reachable  sets  for  one  initial  state.  We  consider  hybrid  systems  combining  discrete  control 
choices  and  continuous  dynamics  instead  of  uncontrolled,  probabilistic  continuous  dynamics. 

Hwang  et  al.  [10]  have  presented  a  straight-line  aircraft  conflict  avoidance  maneuver  that  in¬ 
volves  optimization  over  complicated  trigonometric  computations,  and  validate  it  using  random 
numerical  simulation  and  informal  arguments. 

The  work  of  Dowek  et  al.  [5]  and  Galdino  et  al.  [6]  is  probably  closest  to  ours.  They  consider 
straight-line  maneuvers  and  formalize  geometrical  proofs  in  PVS. 

A  few  attempts  [14,  4]  have  been  undertaken  to  Model  Check  discretizations  of  roundabout 
maneuvers,  which  indicate  avoidance  of  orthogonal  collisions  (Fig.  lb).  However,  counterexamples 
found  by  our  Model  Checker  in  previous  work  [19]  show  that  collision  avoidance  does  not  extend 
to  other  initial  flight  paths  of  the  classical  roundabout;  see  Fig.  lc. 

Pallottino  et  al.  [16]  have  presented  a  spatially  distributed  pattern  for  multiple  roundabout 
circles  at  different  positions.  They  reason  manually  about  desirable  properties  of  the  system  and 
estimate  probabilistic  results  as  in  [9].  Pallottino  et  al.  thus  take  a  view  that  is  complementary 
to  ours:  they  determine  the  global  compatibility  of  multiple  roundabouts  while  assuming  correct 
functioning  within  each  local  roundabout.  We  verify  that  the  actual  hybrid  dynamics  of  each  local 
roundabout  is  collision  free.  Generalizing  our  approach  to  verify  a  spatial  pattern  of  verified  local 
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roundabouts  could  be  interesting  future  work. 

Similarly,  the  work  by  Umeno  and  Lynch  [25,  24]  is  complementary  to  ours.  They  consider 
real-time  properties  of  airport  protocols  using  Timed  I/O  Automata.  We  are  interested  in  proving 
local  properties  of  the  actual  hybrid  system. 

Our  approach  has  a  very  different  focus  than  other  complementary  approaches: 

•  Our  maneuver  directly  involves  curved  flight  unlike  [23,  9,  5,  6,  10,  25,  24].  This  makes  our 
maneuver  more  realistic  but  much  more  difficult  to  analyze. 

•  Unlike  [11,  9,  10],  we  do  not  give  results  for  a  finite  (sometimes  small)  number  of  initial 
flight  positions  (simulation).  Instead,  we  verify  uncountably  many  initial  states  and  give 
unbounded-time  horizon  verification  results. 

•  Unlike  [23,  11,  2,  9,  8,  10],  we  use  symbolic  instead  of  numerical  computation  so  that  nu¬ 
merical  and  floating  point  errors  cannot  cause  soundness  problems. 

•  Unlike  [2,  14,  9,  5,  6,  10,  25,  24],  we  analyze  hybrid  system  dynamics  directly. 

•  Unlike  [11,  23,  2,  9,  10,  14,  16]  we  produce  formal,  deductive  proofs.  Further  unlike  the 
formal  proofs  in  [5,  6,  25,  24],  our  verification  is  much  more  automatic. 

•  In  [5,  6,  10,  25,  24],  it  remains  to  be  proven  that  the  hybrid  dynamics  and  flight  equations 
follow  the  geometrical  thoughts.  In  contrast,  our  approach  directly  works  for  the  hybrid 
flight  dynamics.  We  illustrate  verification  results  graphically  to  help  understand  them,  but 
the  figures  do  not  prove  anything. 

•  Unlike  [15],  we  consider  collision  avoidance  maneuvers,  not  just  detection. 

•  Unlike  [2,  8],  we  do  not  guarantee  optimality  of  the  resulting  maneuver. 


3  Background:  Differential  Dynamic  Logic 

Hybrid  Programs  We  use  a  hybrid  program  (HP)  notation  [18]  for  hybrid  systems  that  include 
hybrid  automata  (HA)  [7].  Each  discrete  and  continuous  transition  corresponds  to  a  sequence  of 
statements,  with  a  nonde  termini  Stic  choice  (U)  between  these  transitions.  Line  2  in  Fig.  2  repres¬ 
ents  a  continuous  transition  in  a  simplistic  altitude  controller.  It  tests  (denoted  by  lq  =  up)  if  the 
current  location  q  is  up,  and  then  follows  a  differential  equation  restricted  to  invariant  region  z  <  9 
(conjunction  z'  —  1  A  z  <  9).  Line  3  tests  guard  z  >  5  when  in  state  up,  resets  z  by  a  discrete 
assignment,  and  then  changes  location  q  to  down.  The  *  at  the  end  indicates  that  the  transitions 
of  a  HA  repeat  indefinitely.  We  will  build  HP  directly,  which  gives  more  natural  programs  than 
HA-translation. 

As  terms  we  allow  polynomials  over  Q  with  variables  in  a  set  V.  Hybrid  programs  (HP)  are 
built  with  the  statements  in  Table  1.  The  effect  of  x  :=  9  is  an  instantaneous  discrete  jump  assign¬ 
ing  9  to  x.  Instead,  x  :=*  randomly  assigns  any  real  value  to  a;  by  a  nonde  termini  Stic  choice.  Dur¬ 
ing  a  continuous  evolution  x[  —  9i  A  . . .  A  x'n  —  9n  A  x  with  terms  6(,  all  conjuncts  need  to  hold. 
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Table  1:  Statements  and  (informal)  effects  of  hybrid  programs  (HP) 


notation 

statement 

effect 

x  :=  9 

discrete  assignment 

assigns  term  9  to  variable  x  G  V 

x  :=  * 

nondet.  assignment 

assigns  any  real  value  tor  6  T 

x[  —  9i  A  . . . 

continuous  evolution 

diff.  equations  for  xt  G  F  and  terms  0t, 

...  A  x’n  =  9n  A  y 

with  formula  y  as  evolution  domain 

?X 

state  check 

test  formula  y  at  current  state 

cc;  P 

seq.  composition 

HP  ft  starts  after  HP  a  finishes 

a  U  (3 

nondet.  choice 

choice  between  alternatives  HP  a  or  (3 

a* 

nondet.  repetition 

repeats  HP  a  n-times  for  any  n  <G  N 

Its  effect  is  a  continuous  transition  controlled  by  the  differential  equation  x\  —  9\, ... , x'n  —  9n 
that  always  satisfies  the  arithmetic  constraint  y  (thus  remains  in  the  region  described  by  y).  This 
directly  corresponds  to  a  continuous  evolution  mode  of  a  HA.  The  effect  of  state  check  ?y  is  a  skip 
(i.e.,  no  change)  if  y  is  true  in  the  current  state  and  that  of  abort ,  otherwise.  Non-deterministic 
choice  a  U  /3  expresses  alternatives  in  the  behavior  of  the  hybrid  system.  Sequential  compos¬ 
ition  a;  (3  expresses  a  behavior  in  which  3  starts  after  a  finishes  (3  never  starts  if  a  continues 
indefinitely).  Non-deterministic  repetition  a*,  repeats  a  an  arbitrary  number  of  times  (>0).  If 
T  is  a  differential  equation  system  and  G  is  a  first-order  formula,  the  operation  do  T  until  G  ex¬ 
presses  that  the  system  follows  differential  equation  T  exactly  until  condition  G  is  true.  It  is  defin¬ 
able  by  a  HP.  We  define  do  fF  until  G  as  the  HP  T  A  (-> G  V  dG);  1G.  There  T  evolves  while 
-i G  V  dG  holds  and  can  only  stop  when  G  holds.  There  dG  denotes  the  border  of  G.  For  instance, 
do  T  until  x\  >  0  is  T  A  x\  <  0;  lx\  >  0. 


Formulas  of  d C  To  express  and  combine  correctness  properties  of  HP,  we  use  a  verification  logic 
for  HP:  The  differential  dynamic  logic  d£  [18]  is  an  extension  of  first-order  logic  over  the  reals 
with  modal  formulas  like  [a\(p,  which  is  true  iff  all  states  reachable  by  following  the  transitions  of 
HP  a  satisfy  property  o  (safety).  Reachability  properties  are  expressible  using  the  dual  modality 
(' a)f ,  which  is  true  iff  there  is  a  state  satisfying  o  that  a  can  reach  from  its  initial  state.  Formulas 
of  d£  are  defined  by  the  following  grammar,  where  0\ .  62  are  terms,  ~  e 
are  formulas,  x  G  V,  and  a  is  an  HP  (Table  1): 

Formula  ::=  9i  ~  62  \  \  (f  /\  \  f  \/  \  f  — >'if\\/x(j)\3x(j)  \  [a](p  \  (ofjf  . 


q  up;  /*  initial  location  is  up  */ 

(  (?g  =  up]  z!  =  1  A  z  <  9) 

U  ( ?q  =  upAz>5 ;  z  :=  z  —  1;  q  :=  down) 
U  (?g  =  down ;  zl  =  —1) 

U  (Iq  —  down  A  z  <  2;  q  up:  7z  <  9))* 


Figure  2:  Hybrid  automaton  vs.  hybrid  program  (simplistic  altitude  control) 
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A  Hoare-triple  {vj}o{0\  can  be  expressed  as  w  [a](p,  which  is  true  iff  all  states  reachable  by 
HP  a  satisfy  0  when  starting  from  an  initial  state  that  satisfies  if}. 

The  semantics  of  d£  and  HP  is  a  Kripke  semantics  over  M;  see  appendix  B 


4  Curved  Flight  in  Roundabout  Maneuvers 

4.1  Flight  Dynamics 

The  parameters  of  two  aircraft  at  (planar)  position  x  —  (x1,x2) 
and  y  =  (y  1,1/2)  in  M2  flying  in  directions  d=(d1,d2)eM2 
and  e  =  (ei,  e2 )  are  illustrated  in  Fig.  3.  Their  dynamics  is  determined 
by  their  angular  speeds  lu,  q  G  M  and  linear  velocity  vectors  d  and  e, 
which  describe  both  the  linear  velocity  ||d||  :=  \J d\  +  dl2  and  orient¬ 
ation  of  the  aircraft  in  space.  Roundabout  maneuvers  are  horizontal 
collision  avoidance  maneuvers  so  that,  like  [23,  14,  8,  4,  16,  6,  10], 
we  simplify  to  planar  positions.  We  denote  the  flight  equations  for 
the  aircraft  at  x  and  y  with  angular  velocities  lu,  0  by  IF(x')  and  G(q) 
respectively,  see  [23]  and  Appendix  A.l: 

[x'  =  d  d'  =  l udL}  (Fipu)) 

[y'  =  e  e' =  ge±]  (■ G(q )) 

There  d1-  :=  (— d2,di)  is  the  orthogonal  complement  of  vector  d.  Differential  equations  T{uu) 
express  that  x  is  moving  in  direction  d,  which  is  rotating  with  angular  velocity  lu,  i.e.,  evolves 
orthogonal  to  d.  Equations  G(o)  are  similar  for  y,  e  and  o.  In  safe  flight  configurations,  aircraft 
respect  protected  zone  p.  That  is,  they  are  separated  by  at  least  distance  p,  i.e.,  the  state  satisfies 
formula  S  (p) : 


S(p)  =  ||x  -  y\\2  >  p2  =  (xi  -  ?/i)2  +  (x2  -  y2)2  >  p2  for  peR  (1) 

Like  all  other  parameters,  we  treat  p  purely  symbolically  without  a  specific  value.  In  practice, 
horizontal  separation  should  be  >5mi,  vertical  separation  >  1000ft. 

4.2  Roundabout  Maneuver  Overview 

FTRM  consists  of  the  phases  in  the  protocol  cycle  in  Fig.  4a  which  correspond  to  the  marked 
flight  phases  in  Fig.  4b.  During  free  flight,  the  aircraft  move  without  restriction  by  repeatedly 
choosing  arbitrary  new  angular  velocities  u  and  o  respectively  (as  indicated  by  the  self  loop  of 
phase  free  in  Fig.  4a).  When  the  aircraft  come  too  close  to  one  another,  they  agree  on  a  compatible 
roundabout  maneuver  by  negotiating  a  compatible  roundabout  center  c  =  (ci,  c2)  in  coordination 
phase  agree  by  communication.  Next,  the  aircraft  approach  the  actual  roundabout  circle  in  a  right 
curve  with  u  <  0  ( entry  mode)  according  to  Fig.  4b,  thereby  approaching  a  tangential  configuration 
around  center  c.  During  the  circ  mode,  the  aircraft  follow  the  circular  roundabout  maneuver  around 
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CO  '.=  * 


g  :=  * 


(a)  Collision  avoidance  protocol 


(b)  Maneuver  construction 


Figure  4:  Protocol  cycle  and  construction  of  flyable  roundabout  maneuver 


the  agreed  center  c  with  a  left  curve  of  common  angular  velocity  co  >  0.  Finally,  the  aircraft  leave 
the  circular  roundabout  in  cruise  mode  (a;  =  0)  in  their  original  direction  (exit)  and  enter  free  flight 
again  when  they  have  reached  sufficient  distance  (the  protocol  cycle  repeats  as  necessary).  The 
collision  avoidance  maneuver  is  symmetric  when  exchanging  left  and  right  curves. 

4.3  Compositional  Verification  Plan 

For  verifying  safety  properties  and  collision  avoidance  of  FTRM,  we  decompose  the  verification 
problem  and  pursue  the  following  overall  verification  plan: 

AC1  Tangential  roundabout  maneuver  cycle:  We  prove  that  the  protected  zones  of  aircraft  are 
safely  separated  at  all  times  during  the  whole  maneuver  (including  repetitive  collision  avoid¬ 
ance  maneuver  initiation  and  including  multiple  aircraft)  with  a  simplified  but  not  yet  flyable 
entry  operation  entry n.  Subsequently,  we  refine  this  verification  result  to  a  flyable  maneuver 
by  verifying  that  we  can  replace  entry n  with  its  flyable  variant  entry. 

AC2  Bounded  control  choices  for  aircraft  velocities:  We  show  that  linear  speeds  remain  un¬ 
changed  during  the  whole  maneuver  (the  aircraft  do  not  stall). 

AC3  Flyable  entry:  We  prove  that  the  simplified  entry n  procedure  can  be  replaced  by  a  flyable 
curve  entry  reaching  the  same  position  as  entry n. 

AC4  Bounded  entry  duration:  Flyable  entry  procedure  succeeds  in  bounded  time,  i.e.,  the  aircraft 
reach  the  roundabout  circle  in  some  bounded  time  <T. 

AC5  Safe  entry  separation:  Most  importantly,  we  prove  that  the  protected  zones  of  aircraft  are 
still  respected  during  the  flyable  entry  procedure. 

AC6  Successful  negotiation:  We  prove  that  the  negotiation  phase  (agree)  satisfies  the  respective 
requirements  of  multiple  aircraft  simultaneously. 
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AC7  Safe  exit  separation:  We  show  that,  for  its  bounded  duration,  the  exit  procedure  cannot 
produce  collisions  and  that  the  initial  far  separation  for  free  flight  is  reached  again  so  that 
the  FTRM  cycle  repeats  safely. 

This  plan  modularizes  the  proof  and  allows  us  to  identify  the  respective  safety  constraints  imposed 
by  the  various  maneuver  phases  successively.  We  present  details  of  these  verification  tasks  in 
the  sequel  and  summarize  the  respective  verification  results  into  a  joint  safety  property  of  FTRM 
in  Section  6.  The  proof  and  formulation  for  AC2  is  a  simple  variation  of  AC1  and  will  not  be 
discussed.  It  is  a  consequence  of  previous  results  [17]. 

4.4  Tangential  Roundabout  Maneuver  Cycles  (AC1) 

First,  we  analyze  roundabouts  with  a  simplified  instant  entry  procedure  and  without  an  exit  pro¬ 
cedure  (AC1),  i.e.,  the  non-flyable  NTRM  depicted  in  Fig.  Id.  We  refine  this  maneuver  and  its 
verification  to  the  flyable  FTRM  afterwards. 

Modular  Correctness  of  Tangential  Roundabout  Cycles  We  verify  that  NTRM  safely  avoids 
collisions,  i.e.,  the  aircraft  always  maintain  a  safe  distance  >p  during  the  curved  flight  in  round¬ 
about.  In  addition,  these  results  show  that  arbitrary  repetitions  of  the  protocol  cycle  are  always 
safe  when,  as  a  first  step,  we  simplify  the  entry  maneuver.  The  NTRM  model  and  property  are 
summarized  in  Fig.  5. 

The  simplified  flight  controller  in  Fig.  5 
performs  collision  avoidance  maneuvers  by 
tangential  roundabouts  and  repeats  these 
maneuvers  any  number  of  times  as  needed. 

During  each  cycle  of  the  loop  of  NTRM , 
the  aircraft  first  perform  arbitrary  free 
flight  (free )  by  choosing  arbitrary  new  an¬ 
gular  velocities  lu  and  g  (repeatedly  as  in¬ 
dicated  by  the  loop  in  free).  Aircraft  only  fly 
freely  while  they  are  safely  separated,  which 
is  expressed  by  constraint  S (p)  in  the  differ¬ 
ential  equation  fox  free.  Then  the  aircraft  agree  on  an  arbitrary  roundabout  center  c  and  angular 
velocity  t a  (agree).  We  model  this  communication  by  nondeterministic  assignments  to  the  shared 
variables  u,c.  Refinements  include  all  negotiation  processes  that  reach  an  agreement  on  com¬ 
mon  to,  c  in  bounded  time.  Next,  they  perform  the  simplified  non-flyable  entry  procedure  (entry n) 
with  instant  turns  (Fig.  Id).  This  operation  identifies  the  goal  state  that  entry  needs  to  reach: 

7 Z  =  d  =  u(x  —  c)-1  A  e  =  c o{y  —  c)-1  (2) 

It  expresses  that,  at  the  positions  x  and  y,  respectively,  the  directions  d  and  e  are  tangential  to  the 
roundabout  circle  at  center  c  and  angular  velocity  u;  see  Fig.  6.  Finally,  the  roundabout  maneuver 
itself  is  carried  out  in  circ.  The  collision  avoidance  roundabouts  can  be  left  again  by  repeating  the 


=  S(p)  — >  [NTRM]  S(p) 

NTRM  =  (free:  agree ;  entry n,  circ)* 

free  =  (cu  :=  *;  g:=*;  (F(u>)  A  G(q)  A  S(jp))* 
agree  =  oj  :=  *;  c:=* 
entry n  =  d:=Lu(x  —  c)±;  e:—co(y  —  c)± 
circ  =  (F{oj)  A  Q{oj) 

Figure  5:  Nonflyable  tangential  roundabout 
collision  avoidance  maneuver  NTRM 
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Figure  6:  1Z 


loop  and  entering  arbitrary  free  flight  at  any  time.  When  further  conflicts  occur  during  free  flight, 
the  controller  in  Fig.  5  again  enters  roundabout  conflict  resolution  maneuvers. 

Multiple  Aircraft  We  prove  separation  for  up  to  5  aircraft  participating  in  the  roundabout  at 
the  same  time.  There,  the  safety  property  is  mutual  collision  avoidance,  i.e.,  each  aircraft  has  a 
safe  distance  >p  to  every  other  aircraft,  which  yields  a  quadratic  number  of  separation  properties 
that  have  to  be  verified.  This  quadratic  increase  in  the  size  of  the  property  that  actually  needs 
to  be  proven  for  a  safe  roundabout  of  n  aircraft  and  the  increased  dimension  of  the  underlying 
continuous  state  space  increase  verification  times.  Also  see  Appendix  A. 2. 

4.5  Flyable  Entry  Procedures  (AC3) 

For  property  AC3  in  Section  4.3,  we  generalize  the  verification  results  about  NTRM  with  simplified 
entry  procedures  (Fig.  Id)  to  FTRM  (Fig.  4b)  by  replacing  the  non-flyable  entry n  procedure  with 
flyable  curves  (called  entry).  This  turns  the  non-flyable  NTRM  into  the  flyable  FTRM  maneuver. 


(a)  Flyable  entry  characteristics 


(b)  Entry  separation  by  overapproximation 


Figure  7:  Flyable  entry  maneuver:  characteristics  and  separation 
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Flyable  Entry  Properties  A  flyable  entry  maneuver  that  follows  the  smooth  entry  curve  from 
Fig.  4b  is  constructed  according  to  Fig.  7a  and  specified  formally  as: 

(rcu)2  =  ||d||2  A  ||x  —  c\\  =  Vs r  A  3A>0  (x  +  \d  =  c)  A  || h  —  c\\  =  2r  A  d  =  —u)(x  —  h)L 

— ■>  [JF(— oj)  A  ||x  —  c||  >  r]  (||a;  —  c||  <  r  — ■>  d  =  lu(x  —  c)2-)  (3) 

The  assumptions  in  formula  (3)  express  that  r  is  the  radius  corresponding  to  speed  ||d||  and 
angular  velocity  lu  ((rcu)2  =  ||d||2)  and  that  entry  starts  with  distance  y/Sr  heading  towards  c 
(3A>0  (x  +  Xd  =  c)).  For  the  construction  of  the  maneuver  and  positioning  in  space,  we  use 
the  auxiliary  anchor  point  /i6l2  identified  in  Fig.  7a  and  line  1  of  (3).  It  is  positioned  relative  to 
the  roundabout  center  c  and  the  x  position  at  the  start  of  the  entry  curve  (i.e.,  with  x  at  the  right 
angle  indicated  in  Fig.  7a).  The  entry  curve  around  h  is  similar  to  the  roundabout  curve  around 
c.  Formally,  h  is  characterized  by  distance  r  to  x,  distance  2r  to  c  (\\h  —  c||  =  2 r)  and,  further, 
vector  x  —  h  is  orthogonal  to  d  and  obeys  the  relative  orientation  of  the  curve  belonging  to  —uj 
(hence  d  =  —  lu(x  —  /r)2-).  The  property  in  (3)  specifies  that  the  tangential  goal  configuration  (2) 
around  c  is  reached  by  a  flyable  curve  when  waiting  until  aircraft  x  and  center  c  have  distance  r, 
because  the  domain  restriction  of  the  dynamics  is  ||a;  —  c||  >  r  (line  2)  and  the  postcondition  as¬ 
sumes  ||a:  —  c\\  <  r,  which  imply  ||a;  —  c||  =  r.  The  feasibility  of  choosing  anchor  point  h  can  be 
shown  by  proving  an  existence  property;  see  Appendix  A. 3. 

Spatial  Symmetry  Reduction  The  property  in  (3)  can  be  verified  in  a  simplified  version.  We  use 
a  new  spatial  symmetry  reduction  to  simplify  property  (3)  computationally.  We  exploit  symmetries 
to  reduce  the  spatial  dimension  by  fixing  variables.  Without  loss  of  generality,  we  recenter  the 
coordinate  system  with  c  at  position  0.  Further,  we  can  assume  aircraft  x  comes  from  the  left  by 
changing  the  orientation  of  the  coordinate  system.  Finally,  we  assume,  without  loss  of  generality, 
linear  speed  1  (by  rescaling  units  appropriately).  Observe  that  we  cannot  fix  a  value  for  both  the 
linear  speed  and  the  angular  velocity,  because  the  units  are  interdependent.  In  other  words,  if  we 
fix  the  linear  speed,  we  need  to  consider  all  angular  velocities  in  order  to  verify  the  maneuver 
for  each  possible  radius  r  of  the  roundabout  maneuver  (and  corresponding  ui).  The  x  position 
resulting  from  these  symmetry  reductions  can  be  determined  easily  by  Pythagoras  theorem  (i.e., 
(2r)2  =  r2  +  x\  for  the  triangle  enclosed  by  h,  x,  c  in  Fig.  7a): 

x  =  (V (2r)2  —  r2,  0)  =  (y/Sr,  0)  .  (4) 

Consequently,  we  simplify  (3)  by  specializing  to  the  following  situation: 

c  :=  (0,  0);  d  (1,  0);  r  :=  *;  ?r  >0;  u  :=  1/r;  x  :=  (VSr,  0) 

4.6  Bounded  Entry  Duration  (AC4) 

As  the  first  step  for  showing  that  the  entry  procedure  finally  succeeds  at  goal  (2)  and  maintains  a 
safe  distance  all  the  time,  we  show  that  entry  succeeds  in  bounded  time  and  cannot  take  arbitrarily 
long  to  succeed  (AC4  in  Section  4.3). 
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Figure  8:  Fly  able  aircraft  roundabout  (multiple  aircraft) 


By  a  simple  consequence  of  the  proof  for  (3),  the  entry  procedure  follows  a  circular  motion 
around  anchor  point  h,  see  Fig.  7a.  That  is,  when  r  is  the  radius  belonging  to  the  angular  velocity  u 
and  the  linear  speed  ||d||,  the  property  1 1 x  —  h\\  =  r  is  an  invariant  of  entry;  see  Appendix  A. 4.  By 
AC2,  which  can  be  proven  easily,  the  speed  ||<7|  is  constant  during  the  entry  procedure.  Thus,  the 
aircraft  proceeds  with  nonzero  minimum  progress  rate  ||<7|  around  the  circle.  The  flight  duration 
for  a  full  circle  of  radius  r  around  h  at  constant  linear  speed  ||d||  is  py,  because  its  arc  length 
is  27t r.  From  the  trigonometric  identities  underlying  equation  (4),  we  can  read  off  that  the  aircraft 
completes  a  |  =  60°  arc,  see  Fig.  7a.  Hence,  the  maximum  duration  T  of  the  entry  procedure  is: 

m  1  27rr  nr 

T  ■ - = -  (5) 

6  HI  3||d|| 

Instead  of  n,  which  is  not  definable  in  first-order  real  arithmetic,  we  can  use  any  overapproxima¬ 
tion,  e.g.,  3.1415927  in  (5).  Roots  like  r  =  \/3,  instead,  are  definable  easily  via  r2  =  3A  >  0. 

4.7  Safe  Entry  Separation  (AC5) 

In  Section  4.5,  we  have  shown  that  the  simplified  entry n  procedure  from  NTRM  can  be  replaced  by 
a  flyable  entry  maneuver  that  meets  the  requirements  of  approaching  tangentially  for  each  aircraft. 
Unlike  in  instant  turns  (entry n),  we  still  have  to  show  that  the  respective  flyable  entry  maneuvers 
of  multiple  aircraft  do  not  produce  mutually  conflicting  flight  paths,  i.e.,  spatial  separation  of  all 
aircraft  is  maintained  during  the  entry  maneuvers  of  multiple  aircraft  (AC5).  Fig.  8  illustrates 
FTRM  with  multiple  aircraft  where  separation  is  important. 

Bounded  Overapproximation  We  show  that  entry  separation  is  a  consequence  of  the  bounded 
speed  (AC2)  and  bounded  duration  (AC4)  of  the  flyable  entry  procedure  when  initiating  the  ne¬ 
gotiation  phase  agree  with  sufficient  distance.  We  prove  that,  when  following  bounded  speed  for 
a  bounded  duration,  aircraft  only  come  closer  by  a  bounded  distance.  Let  b  denote  the  overall 
speed  bound  during  FTRM  according  to  AC2  and  let  T  be  the  time  bound  for  the  duration  of 
the  entry  procedure  due  to  AC4.  We  overapproximate  the  actual  behavior  during  the  entry  phase 
by  arbitrary  curved  flight  (see  Fig.  7b).  When  the  entry  procedure  is  initiated  with  sufficient  dis¬ 
tance  y/2(p  +  2 bT),  the  protected  zone  p> 0  will  still  be  respected  after  the  2  aircraft  follow  any 
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curved  flight  (including  the  actual  choices  during  the  entry  phase  and  subsequent  circ  phase)  with 
speed  ||d||  <  b  and  ||e||  <  b  up  to  T  >  0  time  units  (see  Fig.  7b): 

||a;  —  y\\  >  V2(p  +  2 bT)  A  p  >  0  A  \\d\\2  <  ||e||2  <  b2  A  b  >  0  A  T  >  0 

-»■  [entry]  (||x  -  y\\  >  p)  (6) 

In  Appendix  A. 5,  we  show  that  this  property  follows  from  the  more  general  fact  that  aircraft  only 
make  limited  progress  in  bounded  time  from  some  initial  point  z  when  starting  with  bounded 
speeds  (even  when  changing  cc  arbitrarily): 

x  =  z  A  ||d||2  <  b2  A  b  >  0  — ■>  [r  :=  0;  T{u <j)  A  f  =  1]  (||a;  —  ^||oo  <  rb)  (7) 

The  maximum  distance  ||x  —  2||oo  from  z  depends  on  clock  r  and  bound  b.  To  reduce  the  poly¬ 

nomial  degree  and  the  verification  complexity,  we  overapproximate  distances  from  quadratic  Euc¬ 
lidean  norm  ||  •  ||  in  terms  of  linearly  definable  supremum  norm  ||  •  H^,  instead,  which  is 

Halloo  <  C  =  —c  <  Xi  <  c  A  —c  <  x2  <  c 

Far  Separation  By  combining  the  estimation  of  the  entry  duration  (5)  at  speed  ||d||  =  b  with  the 
entry  separation  property  (6),  we  determine  the  following  magnitude  as  the  far  separation,  i.e.,  the 
initial  distance  which  guarantees  that  the  protected  zone  p  is  maintained  during  the  full  FTRM, 
including  entry. 

f  :=  v/2 (p  +  2 bT)  (=J  v/2  (p+  ^tt^J  (8) 

5  Synchronization  of  Roundabout  Maneuvers 

Following  our  verification  plan  in  Section  4.3,  we  show  that  the  various  actions  of  multiple  aircraft 
can  be  synchronized  appropriately  to  ensure  safety  of  the  maneuver.  We  analyze  the  negotiation 
phase  and  compatible  exit  procedures. 

5.1  Successful  Negotiation  (AC6) 

For  negotiation  to  succeed  (AC6),  we  have  to  show  that  there  is  a  common  choice  of  the  roundabout 
center  c  and  angular  velocity  uj  (or  radius  r)  so  that  multiple  participating  aircraft  can  satisfy  the 
local  requirements  of  their  respective  entry  procedures  simultaneously,  i.e.,  of  the  property  (3)  for 
AC3. 

We  prove  that  all  corresponding  choices  of  agree  satisfy  the  mutual  requirements  of  multiple 
aircraft  simultaneously.  As  one  possible  option  among  others:  when  choosing  roundabout  center  c 
as  the  simultaneous  intersection  (intersection  x  +  Ad  =  y  +  Ae  after  time  A)  of  the  flight  paths  of 
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the  aircraft  at  x  and  y,  the  choices  for  c,  r,  u  are  compatible  for  multiple  aircraft;  see  Fig.  9a: 

A>OAx  +  Ad  =  ?/  +  AeA  ||d||  =  ||e||  — > 

[c  :=  x  +  A d]  r  :=  *;  ?||x  —  c\\  =  V3J r;  l\\y  —  c\\  =  V^r;  a;  :=  *;  ?(ra;)2  =  ||d||2] 

(||x  —  c||  =  -s/3 r  A  A  >  0  A  x  +  Ad  =  c  A  ||y  —  c||  =  s/3r  A  y  +  Ae  =  c)  (9) 

The  tests  in  the  dynamics  ensure  that  the  entry  curve  starts  when  x,  y  and  c  have  appropriate 
distance  a/3 r  identified  in  Section  4  and  that  r  is  the  radius  belonging  to  angular  velocity  u  and 
linear  speed  ||d||.  This  property  expresses  that,  for  aircraft  heading  towards  the  simultaneous  in¬ 
tersection  of  their  flight  paths  with  speed  ||d||  =  ||e||  (line  1),  the  intersection  of  the  linear  flight 
paths  (line  2)  is  a  safe  choice  for  c  satisfying  the  joint  requirements  (line  3)  identified  in  Section  4. 
For  an  analysis  of  far  separation  during  negotiation  and  of  the  feasibility  of  these  choices,  see- 
Appendix  A. 6.  Other  choices  of  c,  u  than  Fig.  9a  are  possible  for  asymmetric  initial  positions  of 
aircraft,  but  computationally  more  involved. 

5.2  Safe  Exit  Separation  (AC7) 

NTRM  (Fig.  Id)  does  not  need  an  exit  procedure  for  safety,  because  the  maneuver  repeats  when 
further  air  traffic  conflicts  arise.  For  FTRM,  instead,  we  need  to  show  that  the  exit  procedure 
produces  safe  flight  paths  until  the  aircraft  are  sufficiently  separated:  When  repeating  the  FTRM 
maneuver,  the  entry  procedure  needs  far  separation  (8)  not  just  distance  p  for  safety,  see  Fig.  4b. 

Safe  Separation  If  the  aircraft  enter  simultaneously,  they  can  exit  simultaneously.  For  AC7,  we 
first  show  that  aircraft  that  exit  simultaneously  (from  tangential  positions  of  the  roundabout  circle) 
always  respect  their  protected  zones: 

7lA\\x  —  y ||2  >  p2  — >  [x'  —  d  A  y'  —  e]  (||x  —  y ||2  >  p2)  (10) 

This  property  expresses  that  safely  separated  aircraft  exiting  simultaneously  along  straight  lines 
from  tangential  positions  (TZ  by  eqn.  2)  of  a  roundabout  will  always  remain  safely  separated.  The 


Figure  9:  Separation  of  negotiation  and  good  and  bad  exit  procedure  separation 
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^  =  \\d\\  =  ||e||  A  r  >  0  A  S(f)  ->  [FTRM*]S(p ) 

C  =  ||x  —  c||  =  Vs r  A  3A>0  (x  +  Ad  =  c)  A  || y  —  c||  =  VSr  A  3A>0  (y  +  Ae  =  c) 
FTRM  =free* ;  agree]  \l(  entry:  circ]  exit ) 
free  =ur.=  *]  p:=*]  F(u)  AQ(e)  AS(f) 
agree  =c:=*;  r:=*]  ?(C  A  r  >  0)'  ?£(/); 

0;:=*;  ?(rcu)2  =  ||d||2;  x0  :=  x;  d0  :=  d]y0  :=  y,  e0  :=  e 
entry  =  do  lF(—cu)  until  ||a;  —  c|| 2  =  r2 
czrc  =  doT(uf)  until  3A>0  3yU>0  (a;  +  Ad  =  xo  3-  /ad0) 
e.wY  =JT(0);  SS(f) 

Figure  10:  Flight  control  with  flyable  tangential  roundabout  collision  avoidance 

proof  for  (10)  uses  overapproximations:  even  the  whole  exit  rays  (Fig.  9b-9c)  are  separated  at  all 
times;  see  Appendix  A.7. 

Far  Separation  To  show  that  the  aircraft  reach  arbitrary  separation  when  following  the  exit 
procedure  long  enough,  we  prove  that — due  to  different  exit  directions  d  f  e — the  exit  procedure 
will  finally  separate  the  aircraft  arbitrarily  far  (starting  from  tangential  configuration  (2)  of  the 
roundabout): 

TZ  A  d  f  e  — >  Va  (x'  —  d  A  y'  —  e)  (||a;  —  y\\ 2  >  a2)  (11) 

The  proof  uses  the  same  ray  overapproximations  (Fig.  9b-9c),  see  Appendix  A.7. 


6  Flyable  Tangential  Roundabout  Maneuver 

We  combine  the  results  about  the  individual  phases  of  flyable  roundabouts  into  a  full  model  of 
FTRM  that  inherits  safety  modularly.  We  collect  the  maneuver  phases  according  to  the  protocol 
cycle  of  Fig.  4  and  take  care  to  ensure  that  the  safety  prerequisites  are  met,  as  identified  for  the 
respective  phases  in  Section  4-5. 

One  possible  instance  of  FTRM  is  the  hybrid  program  in  Fig.  10,  which  is  composed  of  previ¬ 
ously  illustrated  parts  of  the  maneuver.  The  technical  construction  and  protocol  cycle  of  the  entry 
procedure  have  already  been  illustrated  in  Fig.  4. 

Finally,  in  FTRM,  II  denotes  the  synchronous  parallel  product.  Using  communication,  FTRM 
operates  synchronously,  i.e.,  all  aircraft  make  simultaneous  mode  changes  like  in  [10].  Con¬ 
sequently,  the  parallel  product  II (entry,  circ,  exit)  of  HP  simplifies  to  the  conjunction  of  the  re¬ 
spective  differential  equations  in  the  various  modes  and  can  be  defined  easily  as  follows  (likewise 
for  more  aircraft): 

(entry x  A  entryy )  ;  (circx  A  circy )  ;  (exitx  A  exity) 
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Decomposed  property  of  system  dynamics 

See 

$(/)- 

[free]  S (/) 

Fig.  5 

S{f )- 

[agree](S(f)  AC) 

(9),  (19) 

CAS(f )-> 

[entry]  S(p) 

(6) 

C  A  S(f)  — > 

[entry]  TZ 

(3) 

1Z  A  S  (p)  — > 

[circ](S(p)  A  TZ) 

Fig.  5 

tz  a  s  (p)  — ■> 

[exit]  S  (p) 

(10) 

tz  a  s  (p)  — ■> 

[exit]  S  (f) 

(10),  (11) 

Figure  11:  Composing  verification  for  flyable  tangential  roundabout  maneuvers 


where  entry x  is  the  entry  procedure  of  the  aircraft  at  position  x,  etc.  Further  Fig.  14  instantiates 
Fig.  10  with  all  abbreviations  resolved. 

To  verify  this  maneuver,  we  split  the  proof  into  the  modular  properties  that  we  have  already 
shown  previously  following  the  verification  plan  from  Section  4.3.  Formally,  we  split  the  system 
at  its  sequential  compositions,  giving  the  subproperties  depicted  in  Fig.  11.  Formula  1Z  is  due  to 
equation  (2)  and  S(p)  by  (1). 

By  combining  the  results  about  the  FTRM  flight  phases  as  summarized  in  Fig.  1 1,  we  conclude 
that  FTRM  avoids  collisions  safely.  The  modular  proof  structure  in  Fig.  11  still  holds  when  re¬ 
placing  any  part  of  the  maneuver  with  a  different  choice  that  still  satisfies  the  specification,  e.g., 
for  different  entry  procedures  that  still  succeed  in  tangential  configuration  TZ  within  bounded  time. 
This  includes  roundabouts  with  asymmetric  positions ,  i.e.,  where  the  initial  distance  to  c  can  be 
different,  and  with  near  conflicts,  where  the  flight  paths  do  not  intersect  in  one  point  but  in  a  larger 
critical  region  [10].  Most  notably,  the  separation  proof  in  Section  4.7  is  by  overapproximation  and 
tolerates  asymmetric  distances  to  c  (Fig.  7b). 

Theorem  1  (Safety  of  flyable  tangential  roundabout  maneuvers)  FTRM  is  collision  free,  i.e., 
the  collision  avoidance  property  'ip  in  Fig.  10  is  valid.  Even  any  variation  of  FTRM  with  a  modified 
entry  procedure  that  safely  reaches  tangential  configuration  1Z  in  some  bounded  time  T  is  safe, 
i.e.,  when  the  following  formula  holds,  saying  that,  until  time  T,  the  aircraft  have  safe  distance  p 
and  will  have  reached  configuration  1Z  at  time  T  with  r  as  a  clock: 

S(f)  — >  [r  :=  0;  agree  Ar'  =  1]  ((r  <  T  — >  S(p))  A  (r  =  T  — ■>  TZ)')  . 

7  Experimental  Results 

Table  2  summarizes  experimental  results  obtained  using  the  tool  KeYmaera1  for  our  verification 
algorithm  [20,  22]  on  a  2.6GHz  AMD  Opteron  with  4GB  memory.  Rows  marked  with  *  indicate 
a  property  where  simplifications  like  symmetry  reduction  have  been  used  to  reduce  the  compu¬ 
tational  complexity.  Table  2  shows  that  even  aircraft  maneuvers  with  challenging  hybrid  curve 

'KeYmaera  verification  tool  is  available  at  http://symbolaris.com/info/KeYmaera.html  experi¬ 
ments  are  available  at  http :  / / symbolaris  .  com/ pub/RCAS-examples  .  zip 
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Table  2:  Experimental  results  for  air  traffic  control 


Case  study 

See 

Time(s) 

Memory  (MB) 

Steps 

Dimension 

tangential  roundabout 

2  aircraft 

10.4 

6.8 

197 

13 

tangential  roundabout 

3  aircraft 

253.6 

7.2 

342 

18 

tangential  roundabout 

4  aircraft 

382.9 

10.2 

520 

23 

tangential  roundabout 

5  aircraft 

1882.9 

39.1 

735 

28 

bounded  maneuver  speed 

AC2 

0.5 

6.3 

14 

4 

flyable  roundabout  entry* 

(3) 

10.1 

9.6 

132 

8 

flyable  entry  feasible* 

(14) 

104.5 

87.9 

16 

10 

flyable  entry  circular 

(15) 

3.2 

7.6 

81 

5 

limited  entry  progress 

(7) 

1.9 

6.5 

60 

8 

entry  separation 

(16) 

140.1 

20.1 

512 

16 

mutual  negotiation  successful 

(9) 

0.8 

6.4 

60 

12 

mutual  negotiation  feasible* 

(17) 

7.5 

23.8 

21 

11 

mutual  far  negotiation 

(19) 

2.4 

8.1 

67 

14 

simultaneous  exit  separation* 

(21) 

4.3 

12.9 

44 

9 

different  exit  directions 

(23) 

3.1 

11.1 

42 

11 

dynamics  can  be  verified  formally.  Memory  consumption  of  quantifier  elimination  is  shown  in 
Table  2,  excluding  the  front-end.  The  dimension  of  the  continuous  state  space  and  number  of 
automatic  proof  steps  are  indicated.  Except  for  simple  manual  steps  during  one  property  (16),  the 
proofs  for  Table  2  are  100%  automatic. 


8  Summary 

We  have  analyzed  complex  air  traffic  control  applications.  Real  aircraft  can  only  follow  sufficiently 
smooth  fly  able  curves.  Hence,  mathematical  maneuvers  that  require  instant  turns  give  physically 
impossible  conflict  resolution  advice.  We  have  developed  a  new  collision  avoidance  maneuver 
with  smooth,  fully  flyable  curves.  Despite  its  complicated  dynamics  and  maneuvering,  we  have 
verified  collision  avoidance  in  this  flyable  tangential  roundabout  maneuver  formally  using  our 
verification  algorithm  for  a  logic  of  hybrid  systems.  Due  to  the  intricate  spatio-temporal  movement 
of  aircraft  in  roundabout  maneuvers,  some  of  the  properties  require  intricate  arithmetic,  which  we 
handled  by  symmetry  reduction  and  degree-based  reductions.  The  proof  is  automatic  except  for 
modularization  and  arithmetical  simplifications  to  overcome  the  computational  complexity. 

While  the  flyable  roundabout  maneuver  is  a  highly  nontrivial  and  challenging  study,  we  still 
use  modeling  assumptions  that  should  be  generalized  and  relaxed  in  future  work,  including  syn¬ 
chronous  conflict  resolution.  The  proof  structure  behind  Theorem  1  is  already  sufficiently  general, 
but  the  computational  complexity  high.  It  would  be  interesting  future  work  to  see  if  the  informal 
robustness  studies  of  Hwang  et  al.  [10]  can  be  carried  over  to  a  formal  verification  result. 
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A  Additional  Verification  Results  for  the  Flyable  Tangential 
Roundabout  Maneuver 

In  this  appendix,  we  provide  additional  background  and  verification  results  for  aircraft. 

A.l  Transcendental  Functions  Make  Flight  Dynamics  Difficult 

Solutions  of  flight  equations  contain  complicated  transcendental  functions  that  give  undecidable 
arithmetic.  Consider,  for  instance,  the  differential  equation  system  for  relative  positions  a;  =  (x\,  x2) 
of  two  aircraft  with  linear  speed  V\  and  and  v2  respectively,  and  angular  velocity  to  and  g,  respect¬ 
ively;  see  [23]  for  details: 

x\  =  —v\  +  v2  cos  t)  +  tox2  x'2  =  v2  sin  $  —  tox\  $  =  g  —  to  (12) 

Differential  equation  solving  in  Mathematic  a  produces  the  solution  depicted  in  Fig.  12.  The  “solu¬ 
tion”  (if  it  is  one  at  all)  in  Fig.  12  is  not  suitable  for  verification  purposes.  It  involves  several 
trigonometric  functions  and  has  an  undefined  singularity  at  to  =  0.  Reachability  verification 
is  not  possible  for  trigonometric  solutions  like  in  Fig.  12,  because  the  resulting  formulas  of  the 
form  Vt> 0  G{x\  (f),  x2(t),  0(t))  involve  quantified  arithmetic  over  trigonometric  functions,  which 
is  undecidable. 


X 

x\ (t)  =  — (xiqu  cos(tu)  —  cc  sin('$)v2  cos (tto)  +cccos (tg)  sin($)n2  cos(tcc) 

QtO 

+  c 0  cos(i))  sm(tg)v2  cos(fcc)  +  x2gto  sin(tu;)  —  £>sin(tu;)vi 

—  to  cos(i))  cos  (tg)  sin(tu;)u2  +  to  sin(i?)  sin  (tg)  sm(tcu)v2 

—  to\j  1  —  sin(t))2  sin(fo;)u2) 

x2(t)  =  — (^icos(fcc)2  +  x2qlo  cos(fcc)  —  gv  1  cos(fcc)  —  to  cos(tf)  cos (tg)v2  cos(tu ) 

QUO 

+  to  sin('i))  sin(t^)u2  cos  (too)  —  to\Jl  —  sin(i))2 v2  cos(tto)  —  XiQto  sin(tu;) 

+  ^sin(fcc)2Ui  +  u;sin($)  sin(fcc)n2 

—  to  cos(tg)  sin($)  sin(fcc)u2  —  to  cos (tt)  sin(tp)  sin(fa;)n2) 
t)(t)  =  t)  +  t  (g  —  to) 


Figure  12:  Formal  but  useless  “solution”  of  flight  equations  produced  by  Mathematica 

The  flight  equations  T(t 0)  and  Q(g)  given  in  Section  4.1  can  be  derived  from  equation  (12). 
These  equations  T(t 0)  and  Q(g)  still  have  just  as  complicated  trigonometric  solutions,  but  the 
differential  equations  themselves  are  polynomials  in  the  state  variables,  which  is  crucial  for  differ¬ 
ential  invariants  [17,  22]. 
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The  derivation  works  as  follows.  The  parameters  of  two  aircraft  at  the  respective  (planar) 
positions  x  =  (xi,x2)  G  M2  and  y  =  (2/1, 2/2)  with  angular  orientation  i)  and  c  are  as  in  Fig.  3 
(with  0  =  0).  Following  [23],  aircraft  dynamics  is  determined  by  their  linear  speeds  v,  u  G  M 
and  angular  speeds  u>,  g  G  M,  respectively: 

x[  =  v  cos  i)  x'2  =  v  sin  1)  'O'  =  u  y[  —  u  cose  y2  —  wsinc  ^  —  Q  (13) 

That  is,  position  x  moves  with  speed  v  into  the  direction  with  angular  orientation  0,  which  rotates 
with  angular  velocity  u  (likewise  for  y,  u.  <,  ,  0).  To  handle  the  transcendental  functions  in  equa¬ 
tion  (13),  we  axiomatize  sin  and  cos  by  differential  equations  and  reparametrize  the  system  using 
linear  velocity  vectors 

d  —  (di,d2)  '■=  ( v  cos  0,  v sini?)  G  M2  and  e  =  (ei,  e2)  :=  (u cos q,  u sine)  G  M2 

which  describe  both  the  linear  speed  ||d||  :=  \J d\  +  d2  =  v  and  the  orientation  of  the  aircraft  in 
space,  see  vectors  d  and  e  in  Fig.  3: 

[x\  =  d\  x2  =  d-2  d[  =  —ud2  d'2  =  ud\\ 

[y[  =  ei  y2  =  e2  e\  =  —ge2  e2  =  ge  1] 

Using  vectorial  notation,  these  polynomial  differential  equations  are  the  same  as  the  earlier  differ¬ 
ential  equations  OFiuj)  and  Gig),  respectively.  They  can  be  verified  using  our  verification  algorithm 
on  the  basis  of  differential  invariants  [22]. 


A.2  Non-Flyable  Tangential  Roundabout  Maneuver  for  Multiple  Aircraft 
(AC1) 

Concerning  multiple  aircraft,  Fig.  13  contains  the  system  and  separation  property  specification  for 
the  5-aircraft  NTRM.  There,  property  ip  expresses  that  the  5  aircraft  at  positions  x,  y,  z,  u,  v  G  M2, 
respectively,  keep  mutual  distance  >p. 


A.3  Flyable  Entry  Procedure  Proofs  (AC3) 

For  AC3,  we  further  prove  that  the  anchor  point  h  can  always  be  chosen  as  illustrated  in  Fig.  7a. 
That  is  we  show  feasibility  of  the  assumptions  of  property  (3)  by  the  following  existence  property: 


(rcu)2  =  ||d||2  A  ||a;  —  c||  =  V3r  A  3A>0  (x  +  Ad  =  c ) 
3 h  (d  =  —cj(x  —  h.)±  A  || h  —  c||  =  2 r) 


(14) 


A.4  Bounded  Entry  Duration  Proof  for  Circular  Flight  (AC4) 

For  AC4,  we  prove  constant  distance  to  anchor  point  h,  i.e.,  that,  indeed,  \\x  —  h  \\  =  r  is  an  invari¬ 
ant  of  entry  as  conjectured  in  Section  4.6: 

(rcc)2  =  ||d||2  A  ||x  —  c||  =  VSr  A  3A>0  (x  +  Ad  =  c)  A  d  =  —u(x  —  h)L  A  || h  —  c||  =  2 r 

— >  [JF(—  u)  A  ||a;  —  c||  >  r]  (||a:  —  h\\  =  r)  (15) 
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f  =  s(p)  ->  [ATOM*]  S(p) 

S(p)  =  (xx  -  yi)2  +  (x2  -  y2 )2  >  P2  A  (yi  -  ^i)2  +  (y2  -  z2)2  >  p 2 
A  (xi  -  Zi)2  +  (x2  -  z2)2  >  p2  A  (xi  -  Mi)2  +  (x2  -  M2)2  >  p2 

A  (yi  -  Mi)2  +  (1/2  -  M2)2  >  P2  A  (zi  -  Mi)2  +  (z2  -  u2)2  >  p2 

A  (xi  -  Mi)2  +  (x2  -  v2)2  >  p2  A  (j/i  -  Mi)2  +  (y2  -  m2)2  >  p2 

A  (^i  -  Mi)2  +  (z2  -  m2)2  >  p2  A  (mi  -  Mi)2  +  (m2  -  m2)2  >  p2 

NTRM  =  free:  agree ;  entry n\  circ 

circ  =  x)  =  d\  A  X2  =  d-2  A  d\  =  — toxd2  A  dl2  =  0Jxd\ 

A  y^  =  e\  A  y'2  =  e2  A  =  —uye2  A  e'2  =  cuyei 
A  z[  =  f  1  A  z2  =  f-2  A  f[  =  -uzf2  A  f '2  —  uji 
A  u[  =  gi  A  u2  =  g2  A  g\  =  -uug2  A  g2  =  uugx 
A  v[  —  h\  A  v2  =  /m2  A  h[  =  —covh2  A  h'2  =  ojvhi 
free  =  (u;x:=*;  cvy  :=  *]  uz:= *;  cuu  :=  *;  uv:=*-, 
x[  —  di  A  x2  =  d2  A  d[  =  —uoxd2  A  d2  =  uJxd\ 

A  y[  =  e\  A  y2  =  e2  A  e'l  =  —uye2  A  e'2  =  u)yei 
A  z[  =  fi  A  z'2  =  f2  A  f[  =  -uzf2  A  f 2  —  uzfi 
A  u[  =  gi  A  u'2  =  g2  A  g[  =  -uug2  A  g2  =  uugi 
A  v[  =  hi  A  v2  =  h2  A  h[  =  — uivh2  A  h'2  =  u>vhi  A  S(p))* 
agree  =  cm  :=  *;  c:=* 

entryn  =  d\  :=  -cm(x2  -  c2);  d2  :=  u(xi  -  ci); 

Ci  :=  —  <m(?/i  —  Ci);  62  :=  u o(y2  —  C2); 
fi  ■=  —u(zi  -  Cl);  f2  :=  cu(z2  -  c2); 
g  1  :=  cm(mi  -  ci);  r/2  :=  cm(m2  -  c2); 

/?i  :=  -cm(mi  -  Ci);  A2  :=cm(m2  -  c2) 

Figure  13:  Tangential  roundabout  collision  avoidance  maneuver  (5  aircraft) 
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A.5  Safe  Entry  Separation  Proof  (AC5) 

Cartesian  Degree  Reduction  To  simplify  separation  property  (6),  we  use  the  (linearly  definable) 
supremum  norm  ||  -  Hoo  in  place  of  the  (quadra tically  definable)  Euclidean  2-norm  ||  •  ||2,  thereby 
yielding  the  following  provable  variant  of  (6): 

||a;  —  2/||oo  >  (p  +  2 bT)  A  p  >  0  A  ||d||2  <  ||e||2  <  b2  A  b  >  0  A  T  >  0 

— >  [r  :=  0;  3cu  T{u)  A3  qQ{q)  A  r'  =  1  A  r  <  T](\\x  -  y]]^  >  p)  (16) 

Here,  the  angular  velocity  u  is  allowed  to  change  arbitrarily  and  nondeterministically  during  the 
flight,  which  we  indicate  by  the  quantifier  3cu  in  the  continuous  dynamics. Using  standard  equival¬ 
ences  of  norms,  we  conclude  that  the  following  variant  of  (16)  with  Euclidean  2-norms  is  valid: 

||a;  —  y\\2  >  V%{p  +  2 bT)  A  p  >  0  A  ||d||2  <  ||e||2  <  b2  A  b  >  0  A  T  >  0 

— >  [r  :=  0;  3u>Jr(uj)  A  3 gQ(g)  A  r  =  1  A  r  <  T](\\x  -  y\\2  >  p) 

The  extra  factor  of  \[2  in  the  separation  requirement  results  from  the  relaxation  of  the  2-norm  to 
the  oo-norm.  Using  AC4,  it  is  easy  to  see  that  the  entry  maneuver  is  a  special  case  refining  the 
above  nonde  termini  Stic  curved  flight  dynamics.  Thus  we  conclude  that  property  (6)  is  valid. 


A.6  Far  Separation  during  Successful  Negotiation  (AC6) 

Feasible  Negotiation  Choices  We  show  that  the  choices  for  property  (9)  are  feasible  for  simul¬ 
taneous  flight  path  intersections,  i.e.,  there  always  is  a  mutually  agreeable  choice: 

IMII  =  llell  /\^>0Ax  +  Xd  =  y  +  Xe^ 

(c  :=  x  +  Xd]  r  :=  *;  ?||x  —  c||  =  Vs r|  ?|| y  —  c||  =  Vs r;  c o  :=  *;  ?(rcu)2  =  ||d||2) 

(||a;  —  c\\  =  Vs  r  A  A  >  0  A  x  +  Xd  =  c  A  \\y  —  c||  =  VSr  AA>0A|/  +  Ae  =  c)  (17) 

The  essential  difference  to  (9)  is  the  use  of  a  diamond  modality,  which  expresses  existence  of  a 
corresponding  transition  that  satisfies  all  the  constraints  of  the  dynamics. 


Separation  During  Negotiation  The  entry  procedure  has  to  be  initiated  while  the  aircraft  are 
still  sufficiently  far  apart  for  safety  reasons.  Otherwise,  there  may  not  be  sufficient  maneuvering 
space  for  collision  avoidance.  Correspondingly,  the  agree  procedure  will  negotiate  a  roundabout 
choice  while  the  aircraft  have  far  distance.  Thus,  the  agree  procedure  will  have  to  maintain  far 
separation,  i.e.,  satisfy  the  property 


\x 


y\\  >  V2(p+  -nr)  ->  [agree] 


\x 


y\\  >  V2(p+-nr) 


(18) 


This  may  seem  like  a  trivial  property,  because  agree  models  the  successful  completion  of  the 
negotiation,  so  that  no  time  elapses  during  the  dynamics  of  agree,  hence  the  positions  x  and  y 
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do  not  even  change.  Observe,  however,  that  the  far  separation  distance  according  to  equation  (8) 
depends  on  the  protected  zone  p  and  the  radius  r  of  evasive  actions.  Unlike  p,  radius  r  may 
change  during  agree,  which  allows  for  the  flexibility  of  changing  the  flight  radius  r  adaptively  when 
repeating  the  roundabout  maneuver  loop  at  different  positions.  Consequently,  the  far  separation 
distance  y/2 (p  +  \tx r)  is  affected  when  changing  r. 

To  ensure  that  the  new  radius  r  is  chosen  such  that  far  separation  is  still  maintained,  i.e., 
property  (18)  is  respected,  we  add  a  corresponding  constraint  to  agree.  Thus,  changes  of  r  are 
only  accepted  as  long  as  they  do  not  compromise  far  separation.  We  show  that,  when  adding  a 
corresponding  constraint  to  property  (9),  all  choices  by  agree  maintain  far  separation  of  the  aircraft 
at  x  and  y  according  to  (8): 


Nil  =  ||e||  AA>OAa;  +  Ad  =  |/  +  Ae^ 

2 

[c  :=  x  +  A d;  r  :=  *;  ?||a:  —  c||  =  \/3 r;  ?|| y  —  c\\  =  Vs r;  ?||a:  —  y ||  >  y/2 (p  +  -nr); 

o 

u  :=  *;  ?(ru;)2  = 

(||a;  —  c||  =  VSr  A  A  >  0  A  x  +  Ad  =  c  A  \\y  —  c||  =  v/3  r  A\>0Ay  +  \e  =  c 

A  ||x  -  y\\  >  V2(p  +  \nr)) 

o 


IMII2] 

(19) 


Finally,  we  analyze  when  such  choices  of  agree  are  feasible  using  a  diamond  modality: 


Nil  =  Nil  AA>OAa;  +  A(i  =  |/  +  Ae^ 

2 

(c  :=  x  +  Ad;  r  :=  *;  l\\x  —  c\\  =  \\y  —  c||  =  V3r)\\x  —  y\\  >  V2 (p  +  -nr)  (20) 

3 

The  corresponding  distance  constraints  on  x,  y  and  c  for  agree,  respectively,  are  depicted  in  Fig.  9a. 
Using  standard  trigonometric  relations  for  each  half  of  the  triangle,  we  can  compute  the  result¬ 
ing  distance  of  x  and  y  as  ||a:  —  y\\  =  2y/3 r  sin  |.  With  Collins-Tarski  quantifier  elimination  and 
simple  evaluation  for  the  remaining  trigonometric  expressions,  we  can  determine  under  which  cir¬ 
cumstances  property  (20)  holds  true,  i.e.,  for  all  protected  zones  p  there  is  a  radius  r  satisfying  the 
distance  requirements: 

^Vp3r>0  ^vNrskN  >  V2(p  +  -7rr)^  =  sin  A  >  =  7  >  117.527° 

Consequently,  corresponding  choices  are  feasible  for  all  protected  zones  with  flight  paths  that  do 
not  intersect  with  narrow  collision  angles.  The  constraint  on  the  flight  path  intersection  angle 
relaxes  to  7  >  74.4°  when  removing  the  extra  factor  of  from  (8),  which  results  from  our  com¬ 
putational  simplification  of  cartesian  degree  reduction  in  Section  4.7. 

Despite  the  presence  of  trigonometric  expressions,  the  above  formula  is  a  substitution  instance 
of  first-order  real  arithmetic  and  can  thus  be  handled  by  our  quantifier  elimination  lifting  [18]. 
Note  that  the  primary  difference  to  trigonometric  expressions  occurring  in  the  solutions  of  flight 
equations  for  curved  flight — which  do  not  support  quantifier  elimination — is  that  the  argument  ^ 
of  sin  is  not  quantified  over,  here. 
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A.7  Safe  Exit  Separation  Proof  (AC7) 

Safe  Separation  To  reduce  the  arithmetical  complexity,  we  overapproximate  property  (10)  by 
showing  that  even  the  whole  exit  rays  never  cross  when  the  aircraft  exit  the  same  roundabout  tan¬ 
gentially  (see  Fig.  9b;  the  counterexample  in  Fig.  9c  shows  that  the  assumption  ||a:  —  c|| 2  =  \\y  —  c||: 
on  identical  radius  is  required  for  this  relaxation): 

1Z  A  ||a:  —  c||2  =  \\y  —  c|| 2  A  x  ^  y  — >  [x'  =  d\y  =  e]x  ^  y  (21) 

Property  (10)  clearly  refines  (21),  because  every  synchronous  evolution  along  the  joint  differential 
equation  system  x'  —  d  A  y'  —  e  can  be  emulated  by  successive  evolutions  x'  —  d;  y'  —  e  with  two 
consecutive  evolutions  of  identical  duration. 

Again  the  computational  complexity  of  proving  this  property  can  be  simplified  by  adding 
Ci  :  =  0  A  c2  :  =  0  by  symmetry  reduction.  From  this  property,  the  original  separation  property  (10) 
follows  using  the  geometric  fact  that,  for  linearity  reasons,  rays  that  never  cross  cannot  come  closer 
than  the  original  distance  p.  This  can  be  expressed  elegantly  in  d£: 

||a;  —  y\\ 2  >  p2  A  [x'  =  d  A  y  =  e]x  ^  y  — »  [x1  =  d  A  y  =  e](||x  —  y\\ 2  >  p 2)  (22) 

Thus,  by  combining  (21)  with  (22)  propositionally  (modus  ponens)  and  by  the  simple  fact  that  the 
sequential  independent  ray  evolution  x'  —  ck  y'  —  e  is  an  overapproximation  of  the  synchronous 
evolution  x'  =  d  A  y'  =  e,  we  conclude  that  property  (10)  is  valid. 

Far  Separation  To  show  that  the  aircraft  reach  arbitrary  separation  when  following  the  exit  pro¬ 
cedure  long  enough,  we  prove  that  aircraft  which  enter  roundabouts  in  different  directions  always 
remain  in  different  directions  while  following  the  roundabout: 

KAdjt  e  — ►  [F{u)  Ag(u)}\\d- e\\2  >  0  (23) 

We  combine  (23)  with  the  geometric  fact  that  rays  into  different  directions  which  never  cross  will 
be  arbitrarily  far  apart  after  sufficient  time  (Fig.  9b): 

d  7^  e  A  [x'  —  d  A  y'  —  e]x  ^  y  — >  Va  {pc'  =  d  A  y  =  e)(||x  —  y ||2  >  a2) 

By  combining  this  geometric  fact  with  (23),  we  obtain  the  final  separation  property  by  standard 
propositional  reasoning.  It  says  that — due  to  their  different  directions — the  exit  procedure  will 
finally  separate  the  aircraft  arbitrarily  far.  This  proves  property  (11). 


24 


-0  =  d{  +  d2  =  e{  +  e2  A  r  >  0  A  (xx  -  yf)  +  (x2  -  y2)  >2  [p  +  -nr 
->•  [ FTRM *]  (Xl  -  yi)2  +  (x2  -  y2)2  >  P2 


FTRM  = 


ui  :=  *;  g  :=  *; 


entry  A  entry 


circT  A  circ 


exitr  A  exit,, 


free:  xi  —  d\  A  x'2  =  d2  A  di  =  —  ud2  A  =  a;di 

A  yi  =  ei  A  y'2  =  e2  A  ei  =  -ye2  A  e'2  =  ge1 

A  (xi  -  yi)2  +  (x2  -  y2)2  >  2  +  ^vrr 

agree:  c:=  *;  r  :=  *;  ?r  >  0;  ?(xi  —  Ci)2  +  (x2  —  c2)2  =  3r2; 
?3A>0  (xi  -I-  Adi  —  c i  A  x2  T  A d2  —  c2); 

?(yi  -  ci)2  +  (y2  -  c2)2  =  3r2; 

?3A>0  (yi  +  Aei  =  ci  A  y2  +  Ae2  =  c2); 


?(xi  -  yi)2  +  (x2  -  y2)2  >  2  +  -nr 

u  :=  *;  ?(ru;)2  =  d\  +  d\ 

x\  :=  xp,  x2  :=  x2;  :=  dij  d 2  :=  d2; 

2/?  :=  2/F  2/°  :=  2/2;  e?  :=  ex;  e\  :  =  e2; 

xi  =  di  A  x'2  =  d2  A  d'x  =  —  (— cu)d2  A  d'2  =  —ud\ 

A  yi  =  ei  A  yi  =  e2  A  ei  =  -(-u;)e2  A  e'2  =  -cuey 
?(xi  -  Cl)2  +  (x2  -  c2)2  =  r2; 
xi  =  di  A  x'2  =  d2  A  di  =  — cud2  A  d'2  =  ud\ 

A  yi  =  ei  A  yi  =  e2  A  ei  =  — a;e2  A  e'2  =  u;ei 
A  (— 1  (3 A>0  3y>0  (xi  +  Adi  =  x^  +  yd1]  A  x2  +  Ad2  =  x2  +  yd!]) 
A  3A>0  3y>0  (yi  +  Aei  =  y°  +  ye?  A  y2  +  Ae2  =  yi  +  ye^)) 

V  <9(3A>0  3y>0  (xi  +  Adi  =  x°  +  yd)1  A  x2  +  Ad2  =  xi  +  yd!]) 

A  3A>0  3y>0  (yi  +  Aex  =  y?  +  ye?  A  y2  +  Ae2  =  y2  +  ye!]))); 
?  (3A>0  3y>0  (xi  +  Adi  =  X1]  +  yd)1  A  x2  +  A d2  =  x^  +  yd!]) 

A  3A>0  3y>0  (yi  +  Aex  =  y?  +  pe\  A  y2  +  Ae2  =  yi  +  ye!])); 
xi  =  di  A  xi  =  d2  A  yi  =  e±  Ay2  =  e2; 

?(xi  -  yi)2  +  (x2  -  y2)2  >  2(p  +  ^-nr 
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Figure  14:  Flight  control  with  FTRM  (synchronous  instantiation) 
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B  Semantics  of  Differential  Dynamic  Logic 

The  semantics  of  dC  [18]  is  a  Kripke  semantics  in  which  states  of  the  Kripke  model  are  states 
of  the  hybrid  system.  A  state  is  a  map  v  :  V  — >  R;  the  set  of  all  states  is  denoted  by  Sta.  We 
write  v  |=  0  if  formula  fi  is  true  at  state  v  (Def.  2).  Likewise,  \9\v  denotes  the  real  value  of 
term  9  at  state  u.  The  semantics  of  HP  a  is  captured  by  the  state  transitions  that  are  possible  by 
running  a.  For  continuous  evolutions,  the  transition  relation  holds  for  pairs  of  states  that  can  be 
interconnected  by  a  continuous  flow  respecting  the  differential  equation  and  invariant  region.  That 
is,  there  is  a  continuous  transition  along  x'  =  9  A  x  from  state  v  to  state  w,  if  there  is  a  solution  of 
the  differential  equation  x'  —  9  that  starts  in  state  v  and  ends  in  w  and  that  always  remains  within 
the  region  x  during  its  evolution.  As  in  [7],  we  assume  non-zeno  behavior,  for  simplicity. 


Definition  1  (Transition  system  of  hybrid  programs)  The  transition  relation,  p(a),  of  a  hybrid 
program  a,  specifies  which  state  w  is  reachable  from  a  state  v  by  operations  of  a  and  is  defined  as 
follows 

1.  (u,  w )  G  p(x  :=  9)  iff  the  state  w  is  identical  to  v  except  that  w(x)  =  \9\v. 

2.  (u.  w)  G  p(x  :=  *)  iff  the  state  w  agrees  with  v  except  for  the  value  ofx,  which  is  an  arbitrary 
real  value. 


3.  (z/,  w )  G  p(x'1  =  9 1  A  . . .  A  x'n  =  9n  A  x)  iff  for  some  r  >  0,  there  is  a  function  r]  — >  Sta 

with  99(0)  =  z/,  p (r)  =  w,  such  that, 

•  The  differential  equation  holds,  i.e.,  for  each  Xi  and  each  time  (  G  [0,  r], 


d  My(t) 

d  t 


(C)  [^]V(o 


•  For  other  variables  y  f  {aq, . . . ,  xn }  and  ('  G  [0,  r),  the  value  remains  constant,  i.e., 

MpK)  =  bl^(o)- 

•  The  invariant  is  always  respected,  i.e.,  <p(()  |=  y;  for  each  (  G  [0,  r], 

4.  p(a  U  (3)  =  p(a)  U  p(/3 ) 

5.  p(a]/3)  =  {(u,w)  :  (a,z)  G  p(a),  (z,w)  G  p(/3)  for  a  state  z} 

6.  (u,  w )  G  p(a*)  iff  there  are  an  n  G  N  and  u  —  u0, ...  run  —  w  such  that  (zq,  z/i+1)  G  p(a) 
for  all  0  <  i  <  n. 


Definition  2  (Interpretation  of  d C  formulas)  The  interpretation  \=  of  a  6C  formula  with  respect 
to  state  v  uses  the  standard  meaning  of  first-order  logic: 

1.  v  1=  9\  ~  9-2  iff  [9i\u  ~  [02jv  for  ~  G  {=,  <,  <,  >,  >} 

2.  v  \=  A  iffv  |=  and  v  |=  accordingly  for  -1,  V,  — >,  ^ 
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3.  v  \=  \/x  f  iffw  |=  ffor  all  w  that  agree  with  v  except  for  the  value  of  x 

4.  u  \=  3  xf  iffw  |=  ffor  some  w  that  agrees  with  v  except  for  the  value  of  x 
It  extends  to  correctness  statements  about  a  HP  a  as  follows 

5.  v  \=  [a\(f>  iffw  |=  ffor  all  w  with  (u,w)  G  p(a) 

6.  v  \=  ( a)fiffw  |=  ffor  some  wwith  (y,w)  G  p{a) 
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